OAuth Device Code Phishing Campaigns Target Microsoft 365 for Covert Account Takeovers
December 26th, 2025
High
_edited.jpg)
Our Cyber Threat Intelligence Unit is tracking a widespread and actively exploited phishing technique targeting Microsoft 365 (M365) environments that abuses the OAuth 2.0 device authorization flow. Commonly referred to as OAuth device code phishing, this tactic co-opts Microsoft’s legitimate device login mechanism to trick users into entering attacker-generated device codes on official Microsoft login pages. When a user authenticates these codes, the adversary’s application receives a valid access token, granting unauthorized access to the victim’s M365 account. This technique has been observed in a surge of real-world attacks affecting enterprise and cloud users. Threat actors are using convincing lures such as shared documents, missed file notifications, or invitation links to prompt victims to complete the OAuth flow. Given the widespread use of Microsoft 365 and the difficulty of distinguishing this abuse from legitimate authentication activity, organizations should treat this as a high-priority authentication abuse threat and take immediate steps to strengthen OAuth-related defenses.
Technical Details
Attack Type: OAuth 2.0 device code phishing
Severity: High.
Targeted Accounts: Microsoft 365 / Azure AD (Entra ID) identities
Attack Chain:
Initial Access → Phishing Delivery: Victims receive phishing emails impersonating trusted internal or third-party services. These messages typically contain embedded hyperlinks, shortened URLs, or QR codes that redirect the user to attacker-controlled infrastructure.
User Interaction → Device Code Presentation: The phishing page displays a unique attacker-generated device code and instructs the victim to visit Microsoft’s legitimate device login portal (e.g.,
https://microsoft.com/devicelogin) and enter the code, presenting it as a one-time verification or security confirmation step.OAuth Device Authorization → User Approval: When the user enters the attacker-provided code and authenticates, they unknowingly authorize the attacker-controlled Azure application via the OAuth 2.0 device authorization flow.
Token Retrieval → Attacker Access Granted: The attacker’s OAuth client continuously polls Microsoft’s token endpoint and retrieves a valid access token as soon as the user authorizes the session.
Post-Compromise Abuse → Account Takeover: The attacker now possesses a legitimate OAuth token that provides access to Microsoft 365 resources such as email, OneDrive, SharePoint, Teams, and directory data, often without additional MFA prompts or password entry.
Phishing Tooling Observed:
SquarePhish2: Automates the OAuth device code attack flow, including QR code delivery, social engineering triggers, and token capture.
Graphish phishing kit: Uses Azure App Registrations and reverse proxy servers to conduct adversary-in-the-middle attacks (AiTM)-style phishing, supporting credential and session hijacking, and the potential to bypass MFA protections in certain conditions.
Impact
Unauthorized access to Microsoft 365 accounts via attacker-issued tokens.
Full control over compromised accounts using attacker-issued access tokens.
Theft of sensitive email, chat, document, and directory data.
Business email compromise (BEC) and user impersonation.
Abuse of trusted accounts for lateral phishing and propagation.
Difficult-to-detect activity due to use of legitimate Microsoft authentication endpoints and OAuth flows.
Detection Method
Direct detection of OAuth device code abuse is challenging because the authentication occurs through legitimate Microsoft login infrastructure. However, organizations can improve detection fidelity by correlating identity and email telemetry for anomalies, including:
Sign-in events associated with device code authorization flows originating from unfamiliar devices, geolocations, or IP addresses.
Authorizations granted to unrecognized or suspicious Azure applications.
OAuth consents occurring shortly after reported phishing email delivery.
Signs of new OAuth app authorizations that users do not recall approving.
Unusual login timing patterns or sudden changes in application access.
Correlation between phishing campaign infrastructure and subsequent tenant logins.
Indicators of Compromise
Domain |
xgjtvyptrjlsosv.live |
vaultally.com |
docifytoday.com |
filetix.com |
nebulafiles.com |
novodocument.com |
spacesdocs.com |
acxioswan.com |
acxishare.com |
collabodex.com |
infoldium.com |
renewauth.com |
myfilepass.com |
confidentfiles.com |
magnavite.com |
97d7e46b-1bff-4f24-b262-8b0b3914d88a.us5.azurecomm.net |
bluecubecapital.com |
allspringglobalinvestmentsllc.onmicrosoft.com |
aresmanagementllc.onmicrosoft.com |
citadeladvisorsllc.onmicrosoft.com |
cpuhp.onmicrosoft.com |
millenniummanagementllc.onmicrosoft.com |
URL |
hxxps://sharefile.progressivesharepoint.top/ |
hxxps://progressiveweba.z13.web.core.windows.net |
hxxps://agimplfundmgt.z13.web.core.windows.net |
hxxps://blackrockfundmgt.z13.web.core.windows.net |
hxxps://onlinedocuments-[OrganizationName].vxhwuulcnfzlfmh.live/application/a[PII_Linkable_hex]9 |
hxxps://onlinedocuments-[OrganisationName].vxhwuulcnfzlfmh.live/token/request?id=a[PII_Linkable_hex]9 |
hxxps://www.vaultaliy.com/a[PII_Linkable_hex]9 |
hxxps://www.virtoshare.com/99[PII_Linkable]e9 |
hxxps://onlinedocuments-[OrganisationName].xgjtvyptrjlsosv.live/application/99[PII_Linkable]e9 |
hxxps://onlinedocuments-[OrganisationName].xgjtvyptrjlsosv.live/token/request?id=99[PII_Linkable]e9 |
hxxps://www.renewauth.com/3a[PII_Linkable]59 |
hxxps://www.myfilepass.com/69[PII_Linkable]ed |
hxxps://login.microsoftonline.com/common/oauth2/deviceauth[Abused] |
hxxps://clientlogin.blitzcapital.net/ |
hxxps://onedrive[.]gov-zm[.]workers[.]dev |
hxxps://portal.msprogresssharefile.cloud/ |
hxxps://sharingfilesystems.z13.web.core.windows.net |
hxxps://myapplicationinterfaces.s3.eu-north-1.amazonaws.com/index.html |
hxxps://corphostedfileservices.s3.eu-north-1.amazonaws.com/auth.html |
IP |
196.251.80.184 |
Recommendations
Organizations should take the following steps to reduce exposure:
Harden OAuth Authentication Flows: Create Conditional Access policies to block or restrict device-code authentication flows. Initially deploy in Report-only / Policy Impact mode to assess business impact before enforcing block controls.
Restrict High-Risk Authentication Paths: Limit device-code authentication to approved users, roles, and trusted IP ranges where possible.
Constrain Device Trust Requirements: Require compliant or registered devices, particularly for privileged accounts.
Strengthen Identity Risk Controls: Apply MFA and adaptive risk-based policies to detect anomalous sign-ins and privilege escalation attempts.
Monitor OAuth Activity: Review OAuth app consents, token activity, and sign-in telemetry for unauthorized or unusual patterns.
User Awareness: Update security training to explicitly warn users never to enter verification codes received via email or QR code, even if prompted to use a legitimate Microsoft page.
Conclusion
OAuth device code phishing represents a material escalation in identity-focused phishing tradecraft, allowing adversaries to weaponize legitimate Microsoft authentication workflows for stealthy account takeover. Because these campaigns leverage official Microsoft login infrastructure and attacker-registered OAuth applications, traditional URL filtering, phishing detection, and password-centric defenses offer limited protection. With multiple campaigns already observed in the wild and continued expansion of attacker tooling, we urge organizations to adopt identity-centric defenses, including Conditional Access enforcement, OAuth token monitoring, and targeted user education, to detect and mitigate this threat effectively.